As it is generally known in the areas of cryptography and computer security, a man-in-the-middle attack is an attack in which a malicious entity (e.g. compromised networking device, malicious software module, etc.) secretly relays and possibly alters communications between two entities that believe they are communicating directly with each other. One example of a man-in-the-middle attack is active eavesdropping, in which the malicious entity makes independent connections with the communicating computer systems, and selectively relays messages between the systems to make them believe they are communicating directly with each other over a private connection, while in fact the entire communication session is being controlled and potentially modified by the attacker. To accomplish this, an attacker must be able to intercept all relevant messages passing between the two systems, and to also inject new messages. Performing such message interception and injection may be straightforward under many circumstances.
Existing cryptographic protocols include forms of endpoint authentication that are specifically intended to prevent man-in-the-middle attacks. For example, the TLS (Transport Layer Security) protocol and its predecessor the SSL (Secure Sockets Layer) protocol include authentication of one or both communicating entities within a public key infrastructure (PKI), using a mutually trusted certificate authority (CA). In addition to these techniques, some client-server environments have also provided what is generally referred to as “certificate pinning”, in which the client attempts to avoid a man-in-the-middle attack by comparing a previously obtained certificate to a certificate that is subsequently obtained from the same server, and then allowing communication with the server only when there is a match between the two certificates.
Operation of user devices in highly secure networked environments introduces specific challenges with regard to performing effective certificate pinning. Some highly secure organizations may, while certain operations are performed or at all times, prevent access to data resources that are outside of their physical control, e.g. that are located outside the physical premises of the organization. In some cases, an organization may require that a user device be disconnected from all external networks at certain times, e.g. while a highly sensitive operation is being performed. In other cases, the organization may prevent data that is used during the highly sensitive operation from being stored on any server that is located on a network that is not under the control of the organization. In either case, certificate pinning in networked environments of such highly secure organizations must often be performed using only resources that are within the organization's physical control.
One example of a highly sensitive operation is enrollment of a user device with an organization's Mobile Device Management (MDM) system. As it is generally known, an MDM system enables the organization to monitor, manage and user devices, including mobile devices, potentially across multiple mobile service providers and multiple operating systems. An MDM system enforces policies and controls the operation of mobile and other user devices that are enrolled with the MDM system. MDM systems are capable of providing the organization with end-to-end security, so that mobile applications, network(s) and/or data that are used by an enrolled device, as well as the enrolled device itself, are all managed by the MDM system. After a user device has been enrolled with the organization's MDM system, the device is considered “sanitized”, and the user of the enrolled device may be permitted to access the organization's private resources (e.g. hardware resources such as servers and/or communication networks, software resources such as databases, applications, etc.) through the enrolled mobile device. A successful man-in-the-middle attack performed during the MDM system enrollment process for a user device may compromise what is sometimes referred to as the “control path” (e.g. a secure connection) between the MDM system and the user device, by establishing a malicious entity that intercepts control messages between the MDM system and the user device, unbeknownst to either the MDM system or the device. The malicious entity may intercept and acknowledge control messages sent from the MDM system to the user device, causing the MDM system to believe that the control messages have been successfully received by and performed on the user device, when in fact the messages were never delivered to the device. For example, when an employee leaves the organization, the MDM may send a “scrub” command or the like to the employee's mobile device that, if received and executed properly on the device, would cause the device to delete all the private data that it stores, and also prevent the device from performing any subsequent accesses to the organization's private resources. If the malicious entity intercepts the scrub message sent by the MDM and prevents delivery of the scrub message to the user device, and also sends a fake acknowledgement to the MDM system erroneously indicating that the scrub message was successfully delivered to the user device, the device may continue to access the organization's private resources even after the employee has left the organization, and without the knowledge of the organization.